Our students have the highest exam pass rate in the industry!

Skillset

When people find out what I do for a living, they often ask if I think the Cloud is secure. We’ve written about this before and my response is along the lines of:

“Cloud Service Providers probably do a better job of securing their servers and networks than a typical business.” You can see in their eyes the relief in believing that their decision to move to the Cloud is a safe one. Then I say “But the Cloud is something that is entirely managed and accessed via the public Internet so it’s fundamentally riskier.”

The Cloud Dichotomy

This duality can be hard to grasp. After all, this statement implies that the Cloud is more secure and also not. For organizations that require compliance with various industry and legislative standards such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), or International Traffic in Arm Regulations (ITAR) the stakes are high as the efficiencies provided by Cloud services are incredibly appealing but the impact of a security or privacy breach can result in massive fines and other expenses. Creating additional challenges is the fact that the security, visibility, and control associated with industry and legislative compliance is directly at odds with the reason users are adopting Cloud services. Users are often more interested in performing their jobs as efficiently as possible as opposed to maintaining compliance with regulation du jour.

In an effort to make this clearer CipherPoint is writing a series of articles to review the controls necessary for compliance with PCI DSS, HIPAA, and ITAR, and identify which controls are available in Office 365 or otherwise provided by Microsoft. This first article in the series covers PCI DSS (an easy task as you will find out soon enough) and the Administrative Safeguards required by HIPAA.

Remember that many compliance mandates are an organizational responsibility, not a technology certification. As a general rule, your organization cannot offload the entire compliance burden to Microsoft. Microsoft runs the data centers but your organization is still responsible for the behavior of your users.

PCI DSS

Microsoft claims Level 1 compliance with the Payment Card Industry Data Security Standard (PCI DSS) for their own billing systems. Per Microsoft, however, “customers should not use the Office 365 service to transmit or store [cardholder] data for their own use.” This means that Office 365 must be out of scope for any organizations that store, process, or transmit cardholder data. Microsoft doesn’t say why this is the case and any organization that intends to store sensitive information of any kind in Office 365 should attempt to get an answer. One possible reason could be that organizations storing cardholder data in Office 365 will not be able to demonstrate many of the requirement controls for their Qualified Security Assessor (QSA) since Microsoft is performing those functions.

HIPAA/HITECH

The HIPAA and HITECH Acts together include specific guidance on privacy, information security, and breach notification. The HIPAA Security Rule requires common technical security controls such as user authentication, authorization, access control, encryption, data integrity, and audit logging. The security rule also includes requirements for physical safeguards including controls related to physical access to information and systems including workstation access controls, device and media controls, and facility access control. There are also contractual requirements for risk sharing, called Business Associate Agreements (BAA), among covered entities and service providers.

It is important to understand that HIPAA compliance is an organizational responsibility, not a technology certification. As such, Microsoft can only help your organization meet the HIPAA compliance requirements because Microsoft is responsible only for their employees’ access to patient information; they are not responsible for the compliance requirements associated with your employees and business associates accessing patient information.

You can use the table below as a worksheet to identify gaps in your organization’s compliance posture relative to the Administrative Safeguards required by HIPAA.

Microsoft uses QualysGuard to automatically identify vulnerabilities and other configuration issues across the Microsoft online services. Not all requirements under this section can be automated with technology (e.g. workforce sanctioning) but it is safe to assume that Microsoft has a policy to reprimand their workers who fail to comply with security policies.

Your organization can safely rely on Microsoft’s vulnerability and patch management processes for the infrastructure aspects of Office 365. You will need to provide for yourself, however, policies and procedures for the configuration settings that are exposed to your end-users and administrative staff.

45 CFR § 164.308(a)(2) Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.

Yes

?

Ensure that your organization has assigned responsibility for the policies and procedures specific to the online services that comprise the Office 365 suite. This is likely to be an extension of existing roles and, while policies may not have to change, you need to update or create procedures specific to Office 365.

Office 365 lacks centralized permissions visibility and management which will make it challenging for your organization to enforce policies and procedures. You may need a third party solution to manage and audit access to ePHI in Office 365 – especially if you plan to allow access by external users.

45 CFR § 164.308(a)(5) Security awareness training

Yes

?

45 CFR § 164.308(a)(6) Security incident procedures

Yes

?

Given that information in Office 365 can be accessed from anywhere and from any device, your organization will need a strategy to identify security incidents in public Cloud platforms. The SharePoint Online and OneDrive for Business components of Office 365 do not provide activity logging sufficient for monitoring user behavior and identify suspicious activity.

45 CFR § 164.308(a)(7) Contingency plan

Yes

?

The native backup capabilities in Office 365, especially those in SharePoint Online and OneDrive, are rudimentary. Microsoft has a robust infrastructure and provides 99.99% uptime on average but your organization must also have its own ability to maintain and restore exact copies of ePHI. You need to determine the impact to your organization if Office365 is unavailable and plan accordingly.

45 CFR § 164.308(b)(1) Business Associate Agreement

Yes

N/A

Making the Grade

Compliance is a perennial and effective catalyst for information security budgets and priorities. The HIPAA requirements above are just the first example of the need to understand exactly which aspects of compliance you may outsource to Microsoft and which aspects your organization remains responsible for. As the table above indicates, there are very few categories that Microsoft can assume total ownership of. In fact, the compliance relationship between your organization and Microsoft is more one of partnership than outsourcing.

Future articles in the series will cover the remaining Technical and Physical Safeguard under HIPAA, and ITAR.

Mike Fleck is the CEO of CipherPoint where he is responsible for executing on CipherPoint’s vision to the be the leader in data security for file sharing and collaboration platforms. Mike’s passion is to remove the complexity from enterprise data security so CipherPoint’s customers can focus on reducing risk, not administering products. Prior to joining CipherPoint, MIke spent over a decade in the storage encryption and key management industry. Mike has nearly 20 years of experience developing, architecting, and selling IT and security solutions to Fortune accounts and major Federal Government agencies. Prior to CipherPoint, Mike held leadership roles and Vormetric, High Tower Software, Predictive Systems (PRDS), and Lockheed Martin (LMT).

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

× five = 40

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam